Article

A Dose of AI Could Be the Cure for Hospital Data Center Cyberattacks

by Santosh Varughese

December 22, 2016

Machine learning can help protect electronic health records from hackers.

I know how terrible healthcare records theft can be. I myself have been the victim of a data theft by hackers who stole my deceased father’s medical files, running up more than $300,000 in false charges. I am still disputing on-going bills that have been accruing for the last 15 years.

This event led me on the path to finding a solution so others would not suffer the consequences that I continue to be impacted by, but hospitals and other healthcare providers must be willing to make the change.

The writing is on the wall. A report by Experian predicts 2017 will be worse than ever for the healthcare industry as more attackers recognize the value of rich medical record info. Cybersecurity Ventures predicts global annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion annually by 2021, which includes the cost of stolen money, damaged or destroyed of data, lost productivity, embezzlement, and fraud, as well as the theft of intellectual property, personal data, and financial data. (This doesn’t even include post-attack disruptions to the normal course of business, forensic investigations, the restoration and deletion of hacked data or systems, and reputational harm.)

In June 2016, more than 11 million patients’ electronic health records (EHRs) were breached, making it the year's worst month, according to a study by DataBreaches.net and Prontenus. For comparison, May saw less than 700,000 records stolen, and March, 2016's former breach leader, topped out at just over 2.5 million.

While traditional security filters like firewalls and reputation lists are good practice, they are no longer enough. Hackers increasingly bypass perimeter security, enabling cyber thieves to pose as authorized users with access to hospital networks for unlimited periods of time. This problem is caused not only by high-tech issues, but also low-tech ones that require providers across the continuum to simply become smarter about data protection and privacy issues. Medical facilities are finding they must teach doctors and nurses not to click on suspicious links.

It’s the Data, Stupid

Safeguarding EHR data should be a primary concern, while protecting the network or the perimeter is secondary. Why? Because personal health information is 50 times more valuable on the black market than financial information. Stolen patient health records can fetch as much as $60 per record. If your data is protected, the network paths leading to it become less strategic for hackers to target. Why have post-incident responses when you can deploy a pre-incident response? It is the old “stop chasing the rats and protect the cheese” argument.

However, organizational threats manifest themselves through changing and complex signals that are difficult to detect with traditional signature-based and rule-based monitoring solutions. These threats include external attacks that evade perimeter defenses as well as internal attacks by malicious insiders or negligent employees.

Along with insufficient threat detection, traditional tools can contribute to “alert fatigue” by excessively warning about activities that may not be indicative of a real security incident. This requires skilled security analysts to waste their time identifying and investigating false alerts when there is already a shortage of these skilled professionals.

Some cybersecurity sleuths deploy a variety of traps to catch hacks, including threat intelligence platforms that use signature-based detection and blacklists to scan computers for known offenders. These tools identify whether those types of files exist in the system based on signatures developed by human insight.

However, millions of patient records and other medical data files need to be uploaded to cloud-based threat-intelligent platforms in order for this to work, as scanning a computer for all of them would slow the machine down to a crawl or make it inoperable. Even if you successfully deployed this strategy, cyber-threats develop so fast that traditional threat intelligence platforms can’t keep up with the bad guys. Besides, why wait until after you are hacked?

Healthcare security pros need to pick up where those traditional security tools end and realize that it’s the data that is ultimately at risk. Safeguarding the EHR data is as important, if not more imperative, than just protecting the network or the perimeter. And traditional security tools often can’t accomplish that goal.

The Potent Combo of Forensics and Machine Learning

Instead of signature- and reputation-based detection methods, smart healthcare CSOs and CISOs are moving from post-incident to pre-incident threat intelligence. They are looking at artificial intelligence innovations that use machine learning algorithms to drive superior security forensics results.

In the past, humans had to look at large sets of data to try to distinguish the good characteristics from the bad ones. With machine learning, the computer is trained to find those differences much faster by leveraging multidimensional signatures that detect problems and examine patterns to identify anomalies and trigger a mitigation response.

Machine learning generally works in two ways: supervised and unsupervised. With supervised learning, humans tell the machines which behaviors are good and bad, and the machines figure out commonalities to develop multidimensional signatures. With unsupervised learning, the machines develop algorithms without having the data labeled, so they can analyze the clusters to figure out what’s normal and what’s an anomaly.

The best approach is to implement an unsupervised, machine learning protective shield that delivers a defensive layer across EHR platforms and other hospital IT systems. Such a self-learning system works most effectively with the flexibility of being able to cast a rapidly scalable safety net across an organization’s information ecosystem, whether that ecosystem is distributed or centralized, local or global, cloud or on-premise. Whether data resides in a large healthcare system or small chain of clinics, rogue users can be identified instantly.

By applying machine learning techniques across a diverse set of data sources, systems can become increasingly intelligent by absorbing more and more relevant data. These systems can then help optimize the efficiency of hospital security personnel, enabling organizations to more effectively identify threats. With multiple machine learning modules to scrutinize security data, organizations can identify and connect otherwise unnoticeable, subtle security signals.

Healthcare security analysts of all experience levels can also be empowered with machine learning through pre-analyzed context for investigations, making it easier for them to discover threats. This enables hospital CISOs to proactively combat sophisticated EHR attacks by accelerating detection efforts, reducing the time for investigation and response.

The Digital Eye Sees All

Once a machine learning system is in place, organizations need to identify solutions that employ behavioral analytics, which will baseline normal behaviors and identify irregularities. While the technology is advanced, the concept is simple.

“EHR systems and EHR-compatible health care systems produce and manage a lot of data. This makes the industry a sitting duck for cybercriminals,” says Dr. Donald Voltz, board-certified anesthesiologist, researcher, medical educator, and entrepreneur. “With a cloud-based security net of machine-learning, ambient technology and behavioral analysis that can cover all of the EHR platforms, interoperable or not, a great high tech security blanket is achieved.”

One of the more popular AI strategies is an ambient cognitive cyber surveillance shield which casts an “all seeing eye” security net that digitally fingerprints user access behavior, identifying rogue users virtually instantly. This technology creates a virtual, formidable defense layer powered by cognitive surveillance that is simple to deploy, easy to use, and operates automatically in the background. It can vastly improve an organization’s defense against cybersecurity threats, data breaches, and privacy violations.

An enterprise cybersecurity deployment such as this understands, recognizes, and remembers normal user habits, patterns, and behavior as they use applications in their day-to-day work. Through a baseline, such a platform is able to predict and detect anomalous user activity in real-time, thereby mitigating risks rapidly.

Hospital and other healthcare facilities can easily deploy this type of advanced, self-learning protective shield that can rapidly scale across EHR systems, whether distributed or centralized, cloud or on-premise.

If your healthcare facility deploys this type of comprehensive cybersecurity system, the gloomy doomsday scenario of EHR theft offered by many cybersecurity analysts will no longer be a concern.